VPN routing issue

superpablopunch · ‎04-02-2014

Hi all, I am going to try and explain this best I can without exposing any IP address. So here is the issue. I have an existing Site-to-Site VPN with a client. This has been working perfectly. Recently my client setup a new server with his DMZ. He is requesting that my servers access this server in the DMZ via the public internet and not the VPN. So he gave me an IP address and port number to telnet to this system. For some reason I can't ping this IP or telnet to it from any of my servers in the network. If I try it outside the network I can access it. I am assuming since my servers normally connect over the VPN to access his network that there is some conflict. How can I route the same servers to access this DMZ outside the VPN? I have an ASA 5505. Ill post some of my config so you can see what I have so far:

access-list myClient extended permit ip object obj-10.0.11.167 host 192.168.10.128
access-list myClient extended permit ip object obj-10.0.11.169 host 192.168.10.128
access-list myClient extended permit ip object obj-10.0.11.167 host 192.168.91.17
access-list myClient extended permit ip object obj-10.0.11.169 host 192.168.91.17

crypto map IPSec_map 90 match address myClient
crypto map IPSec_map 90 set peer 167.0.0.1
crypto map IPSec_map 90 set ikev1 transform-set ESP_3DES_SHA
crypto map IPSec_map 90 set security-association lifetime seconds 28800

tunnel-group 167.0.0.1 type ipsec-l2l
tunnel-group 167.0.0.1 ipsec-attributes
ikev1 pre-shared-key **********

Lets say my the IP of the Server in the DMZ is 167.0.0.2 as its in the same subnet as the peer address which is public.

Any ideas will help. Thanks!

Marvin Rhoads · ‎04-02-2014

Can you run a packet-tracer on your ASA with source = one of your servers, input = your inside interface, destination = his DMZ server public IP, port = the TCP port he gave you for the connection.

That will show you if and how the packet flows through your ASA.

Here's a link to the command reference (or you can do it via ASDM).

superpablopunch · ‎04-02-2014

Well it looks like its allowed. I started a capture on so I can dig deeper to see why the telnet isn't working:

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

object network obj-10.0.11.167

nat (inside,outside) static (removed IP)

Additional Information:

Static translate 10.0.11.167/2370 to (removed ip)/2370

Phase: 4

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1107, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

superpablopunch · ‎04-02-2014

Can someone help me troubleshoot this capture?

https://www.dropbox.com/s/0dcvsenmjqjmp17/inside%20%281%29.pcap